Posted on 2009-04-23
Last Modified: 2012-06-27

Hello everyone,

I am not very familiar with this file, but few months ago i had some kind of Spyware issue,
and it ponted to this file that is located in C:\WINDOWS\System32

that time i fix it by restaring my pc in safe mode and deleting one of the files, actually the one
in C:\WINDOWS\system32\dllcache

Today i receive an alert from my firewall alerting me about this file trying to access the Internet.
what i know about this file is that it may be a virus and there should be only one in my system,
but right now i see two of them

spoolsv.exe  C:\WINDOWS\system32
spoolsv.exe  C:\WINDOWS\system32\dllcache

I was hopping someone can tell me a little more about this file or process and what to do next.


Question by:at_the_biginning
    LVL 3

    Expert Comment

    spoolsv.exe handles your printing
    If you dont have to print right now, go to control panel, services, and shut off the print spooler
    Unless you are trying to print to a printer on the Internet, that process should not be connecting there.

    the one in the c:\windows\system32 is the correct location, but that file may still be infected.

    There are a number of viruses \ spyware that it could be.

    You should run a full virus scan, and also scan for spyware.
    for spyware - try malwarebyes -

    Also, apply all patches from Microsoft.  

    Author Comment


    Hello scwoa,

    The Spoolsv located in C:\WINDOWS\System32
    I know this file is part of the system and services
    But not the one in C:\WINDOWS\System32\dllcache

    This is some kind of a virus and malware and needed
    to know some more details and also how to deal with it.

    And about "Malwarebyes" i know this program, i always use it,
    but this program doesn't detect this kind of infection, atleas not yet.

    LVL 47

    Expert Comment

    Run Combofix, it will detect if spoolsv.exe in the system32 folder really is infected, spoolsv.exe by default is not located in the DLLCache folder as already stated.
    So by running Combofix it should tell us which system files are patched.

    Please download ComboFix by sUBs:

    You must download it to and run it from your Desktop
    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.
    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:

    Author Comment


    Hi rpggamergirl,

    The pc i had with this issue was giving me too many problems and after not getting an
    answer on how to deal with this problem, i end up installing a fresh copy on windows,
    and that solved my problem. well thats not what i wanted, but like i said, i wanted to get
    a good answer to see if i can come out with a solution and at the same time to find out if
    the Spoolsv located in C:\WINDOWS\System32\dllcache was really a malware or not.

    this happend to me like a year ago, and i find a page with a nice details about this malware
    and how to deal with it step by step. but after taking care of the situation i never took the
    time to save that nice info to atleast in Favorites or to a notepad text document for future
    reference. then one day i got stuck in the same situation, i when back to that page again.
    but the page was now gone.

    but this time sincei want to take advantage of the points i have here in EE i wondered
    if someone out there can suggest me something close to the solution i find a year ago.

    now about combofix, i know this tool, is really nice and i know how to use it, but i scan
    the pc with the spoolsv and did not detect anything related to C:\WINDOWS\System32\dllcache.

    but once again, for the experience i had with spoolsv.exe i know it was a malware or a Virus
    cus like it happend a year ago the same way acted this time, what it does is that it keep trying
    to have access to the internet and you see the firewall always bloking this executable intrusion.

    You have no idea how much i appreciate you help and your info, but like i said, i reformat the pc
    that had this problem and i cannot execute any test now. :-(

    so even if you guys did not answered my question i will considered answered and will split points.

    Thanks anyway
    LVL 47

    Expert Comment


    >>>"but i scan
    the pc with the spoolsv and did not detect anything related to C:\WINDOWS\System32\dllcache

    If you scanned the system with combofix, did the log show spoolsv.exe from the DLLCache folder listed under the "Sigcheck" section of the log?

    There are a few spoolsv backdoor/trojans, for example below:

    And SDBot/IRCBot:

    and worm.32.autorun:

    And virut/sality infection below:
    [COLOR=RED] c:\windows\system32\spoolsv.exe . . . is infected!![/COLOR]

    And spoolsv.exe trojan.Pandex which tries to connect to download more files.

    >>>"so even if you guys did not answered my question i will considered answered and will split points."<<<
    It's okay.. you don't have to award points here.. don't worry :)

    Author Comment


    No, Combofix did not show anything related to Spoolsv.exe in the scan log.

    With regard to what i said about the award points, sorry, it was just a way of saying it.
    I didnt mean to offend anyone, or you.

    i am reading the links you post, i'll let you know of anything.

    thank you

    LVL 47

    Accepted Solution

    No... you didn't offend me, :)
    Lots of EE members don't give points when their questions aren't answered, that's normal. And you're so generous to offer/award points, thank you.

    It's past midnight here, so bye for now I'm off to bed.

    Author Comment


    other than combofix, Just threats, there are no solutions for the spoolsv.exe
    the pages are describing some users scan and then it show spoolsv as an
    infected possible trojan horse.

    but i did not find any suggestion on what to use to get rid of it.

    Thank you
    LVL 47

    Expert Comment

    Sorry I wasn't much help on this.

    Thanks for the points... it's very nice of you I really appreciate it.

    Thank you for using Experts-Exchange!

    Featured Post

    Gigs: Get Your Project Delivered by an Expert

    Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

    Join & Write a Comment

    As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now